(484) 574-8782

New EBP SAS – AICPA issues Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA

As expected, In July 2019, the AICPA Auditing Standards Board (ASB) issued AICPA Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (“SAS No. 136″ or the “new EBP SAS”). This new standard prescribes certain new performance requirements for ERISA plan financial statement audits and changes the form and content of the related auditor’s report to improve audit quality and enhance the communicative value and transparency of the auditor’s report. It includes new requirements in all phases of an audit of ERISA plan financial statements including engagement acceptance, risk assessment and response, communication with those charged with governance, performance procedures, and reporting.

Good Bye Limited Scope Audit, Hello ERISA Section 103(a)(3)(C) Audit

Another significant change is that an audit performed pursuant to ERISA section 103(a)(3)(C) will no longer be referred to as a “limited scope audit” but rather going forward will be referred to as an “ERISA section 103(a)(3)(C) audit.” The new audit standard includes new performance and reporting requirements specific to ERISA section 103(a)(3)(C) audits.

Clarity on Management’s Responsibilities 

As part of the auditor’s acceptance of the audit engagement the auditor will request plan management (sponsor/administrator) to acknowledge in the engagement letter management’s responsibilities for:

  • maintaining
    a current plan instrument,
  • administering
    the plan, and
  • providing
    the auditor with a draft Form 5500 prior to the dating of the auditor’s report.

New Representations

In addition, the new standard requires that the auditor obtain certain written management representations at the conclusion of the engagement regarding those responsibilities. It also includes new acknowledgements related to management’s responsibilities with respect to the investment certification when management elects to have an ERISA Section 103(a)(3)(C) audit (previously called a “limited scope” audit as noted above).

Focus on Compliance

SAS No. 136 requires the auditor to perform certain procedures when planning and performing the audit that in the past were not expressly required. Most of the required procedures are already included as suggested audit procedures in the extant Audit and Accounting Guide, Employee Benefit Plans and our firm already performs these procedures. As a result, we do not expect the new requirements to result in significant changes to the procedures we perform. However, for some firm which do not currently perform the suggested procedures, substantial changes to audit planning and procedures may be necessary.

Effective Date

SAS No. 136 will be effective for audits of ERISA plan financial statements for periods ending on or after December 15, 2020. This means that 2020 year-end audits being performed in 2021 will be required to follow the performance and reporting requirements of this SAS, including using the new form of the auditor’s report. The EBP SAS prohibits early adoption.

Resources

The AICPA has published At a Glance, New Auditing Standard for Employee Benefit Plans which gives a summary of the changes coming for the benefit plan audits as well as the audit advisory, EBP SAS No. 136: Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA.

Details of the Key Changes of the New EBP SAS:

A new name and type of audit opinion – ERISA section
103(a)(3)(C) audits (previously referred to as “limited scope” audits)

An audit performed pursuant to ERISA section 103(a)(3)(C) will no
longer be referred to as a “limited scope audit” but rather going
forward referred to as an “ERISA section 103(a)(3)(C) audit.” The EBP
SAS includes new performance and reporting requirements specific to ERISA
section 103(a)(3)(C) audits.

The new EBP SAS notes that an ERISA section 103(a)(3)(C) audit is
unique to EBPs and is not considered a scope limitation, therefore the auditor
would no longer issue a modified opinion (typically a disclaimer of opinion)
due to information that is certified by a qualified institution. Instead, the
report provides a two-pronged opinion that is based on the audit and on the
procedures performed relating to the certified investment information. It
provides an opinion on whether the information not covered by the certification
is presented fairly, and an opinion on whether the certified investment
information in the financial statements agrees to or is derived from the
certification.

Changes to form and content of auditor’s report

Report on audited financial statements

The EBP SAS significantly changes the form and content of the
auditor’s report. The EBP SAS also includes reporting guidance when the auditor
identifies a material inconsistency between the draft Form 5500 and the ERISA
plan financial statements that requires revision of the audited ERISA plan
financial statements or the Form 5500 and management refuses to make the
revision.

For the first time, Generally Accepted Auditing Standards (GAAS)
requires an ordering of certain report elements for all audit engagements,
including ERISA audits. The “Opinion” section is required to be placed first,
followed by the “Basis for Opinion” section. The “Basis for Opinion” section is
new for all entities for which an opinion is issued, which includes a statement
that the auditor is required to be independent. For ERISA section 103(a)(3)(C)
reports the “Nature and Scope of the ERISA Section 103(a)(3)(C) Audit” section
is required to be placed before the opinion and basis for opinion sections. The
EBP SAS also requires the use of specific headings. The first section of the
auditor’s report should include the auditor’s opinion and should have the
heading “Opinion.” Directly following the “Opinion” section, the report should
include a “Basis for Opinion” section. The content of the EBP SAS aligns with
the requirements of SAS No. 134, Auditor Reporting and Amendments, Including Amendments
Addressing Disclosures in the Audit of Financial Statements. It also contains incremental
requirements specific to ERISA audits relating to management’s responsibilities
for:

  • maintaining
    a current plan instrument, including all plan amendments,
  • administering
    the plan,
  • determining
    that the plan’s transactions that are presented and disclosed in the financial statements
    are in conformity with the plan’s provisions, and
  • maintaining
    sufficient records with respect to each of the participants, to determine the
    benefits due or which may become due to such participants

The EBP SAS includes illustrative auditor’s reports. In addition,
the EBP SAS includes reporting guidance for the auditor’s report for audits:

  • Conducted in
    accordance with both GAAS and another set of auditing standards.
  • Where prior
    period financial statements were audited by a predecessor auditor.
  • Where prior
    period financial statements were not audited.

For an ERISA
Section 103(a)(3)(C) audit:

Different reporting requirements apply to ERISA
Section 103(a)(3)(C) audits, as follows:

  • The
    report provides a two-pronged opinion that is based on the audit and on the
    procedures performed relating to the certified investment information. It
    provides an opinion on whether the information not covered by the certification
    is presented fairly, and an opinion on whether the certified investment
    information in the financial statements agrees to or is derived from the
    certification. It also includes an additional sentence in the management’s
    responsibilities section related to the investment certification.
  • The
    first section of the auditor’s report should include a description of the scope
    and nature of the ERISA Section 103(a)(3)(C) audit and should have the heading
    “Scope and Nature of the ERISA Section 103(a)(3)(C) Audit.”
  • The
    auditor’s responsibilities section should state that:

    • state
      that the audit did not extend to the certified investment information, except
      for obtaining and reading the certification, comparing the certified investment
      information with the related information presented and disclosed in the
      financial statements, and reading the disclosures relating to the certified
      investment information to assess whether they are in accordance with the
      presentation and disclosure requirements of the applicable financial reporting
      framework.
    • accordingly,
      the objective of the ERISA Section 103(a)(3)(C) audit is not to express an
      opinion about whether the financial statements as a whole are presented fairly,
      in all material respects, in accordance with the applicable financial reporting
      framework.

Report on ERISA-required supplemental schedules

For an audit not subject to ERISA Section
103(a)(3)(C), the EBP SAS now requires the auditor, in situations when
the auditor’s report on the audited financial statements contains an unmodified
or a qualified opinion, to include a statement about whether, in the auditor’s
opinion, the form and content of the information in the accompanying
schedules are presented in conformity with the Department of Labor’s Rules and
Regulations for Reporting and Disclosure under ERISA.

Other key provisions of the EBP SAS

The new standard includes new requirements in all
phases of an audit of
ERISA plan financial statements. Other key provisions included in the SAS include the following:

Engagement Acceptance

The EBP SAS includes new engagement acceptance requirements in addition to the preconditions for an audit in AU-C section 210, Terms of Engagement. It requires that the auditor obtain the agreement of management that it acknowledges and understands its responsibilities for the following (which can be done through the engagement letter):

  • Maintaining
    a current plan instrument, including all plan amendments.
  • Administering
    the plan and determining that the plan’s transactions that are presented and
    disclosed in the plan financial statements are in conformity with the plan’s
    provisions, including maintaining sufficient records with respect to each of
    the participants to determine the benefits due or which may become due to such
    participants.
  • Providing to
    the auditor, prior to the dating of the auditor’s report, a draft of Form 5500
    that is substantially complete.
  • When
    management elects to have an ERISA Section 103(a)(3)(C) audit, determining
    whether o an ERISA Section 103(a)(3)(C) audit is permissible under the
    circumstances,

    • the
      investment information is prepared and certified by a qualified institution as
      described in 29 CFR 2520.103-8,
    • the
      certification meets the requirements in 29 CFR 2520.103-5, and
    • the
      certified investment information is appropriately measured, presented, and
      disclosed in accordance with the applicable financial reporting framework

Risk Assessment

The EBP SAS requires that the auditor:

  • Obtain and
    read the most current plan instrument for the audit period, including effective
    amendments, as part of obtaining an understanding of the entity sufficient to
    perform risk assessment procedures.
  • Consider
    whether to test specific plan provisions as part of risk assessment. Because of the nature of ERISA
    audits, it would be rare for the auditor, based upon the assessed risks of
    material misstatement at the relevant assertion level, not to test any relevant
    plan provisions. The EBP SAS includes an appendix A that provides some examples
    of plan provisions often included in a plan instrument by audit area.

Planning and Fieldwork

The EBP SAS requires that the auditor perform the procedures necessary to become satisfied that received and disbursed amounts (for example, employer or employee contributions and benefit payments) reported by the trustee or custodian were determined in accordance with the plan provisions. When designing and performing audit procedures, the auditor is required to consider:

  • Relevant
    plan provisions that affect the risk of material misstatement at the relevant
    assertion level for classes of transactions, account balances, and disclosures.
  • Whether
    management has performed the relevant IRC compliance tests, including but not limited
    to, discrimination testing, and has corrected or intends to correct failures,
    as applicable.

The auditor also is required to evaluate:

  • Whether
    prohibited transactions identified by management or as part of the audit have
    been appropriately reported in the applicable ERISA-required supplemental
    schedules.
  • Whether
    items identified that are not in accordance with the criteria specified (for
    example, not in accordance with the plan instrument), are reportable findings
    as defined in the EBP SAS.

When management elects to have an ERISA Section 103(a)(3)(C)
audit, the auditor also is required to:

  • Inquire of
    management about how management determined that the entity preparing and
    certifying the investment information is a qualified institution under DOL
    rules and regulations, and evaluate management’s assessment of whether the
    institution is qualified.
  • Perform the
    following procedures on the certified investment information:

    • Obtain from
      management and read the certification as it relates to investment information
      prepared and certified by a qualified institution.
    • Compare the
      certified investment information with the related information presented and
      disclosed in the ERISA plan financial statements and ERISA-required
      supplemental schedules.
    • Read the
      disclosures relating to the certified investment information to assess whether
      they are in accordance with the presentation and disclosure requirements of the
      applicable financial reporting framework.
  • Identify
    which investment information is certified, and perform audit procedures on the
    financial statement information, including the disclosures, not covered by the
    certification as well as noninvestment-related information based on the
    assessed risk of material misstatement. Plans may hold investments in which
    only a portion are covered by a certification by a qualified institution. In
    that case, the auditor should perform audit procedures on the investment
    information that has not been certified.

Documentation

If the auditor has determined that it is not necessary to test any relevant plan provisions as part of risk assessment, the auditor is required to document the considerations in reaching such conclusion.

Review of Draft Form 5500

The EBP SAS requires the auditor to make appropriate arrangements with management to obtain the draft Form 5500, and read the draft Form 5500 in order to identify material inconsistencies, if any, with the audited ERISA plan financial statements prior to dating the auditor’s report. If the auditor identifies a material inconsistency, he or she should determine whether the audited ERISA plan financial statements or the draft Form 5500 needs to be revised.

Communications with Management and Those Charged with Governance

The auditor is required to make certain EBP-specific communications with management and/or those charged with governance, as follows:

  • Reportable
    findings (as defined in the EBP SAS) must be communicated in writing to management
    and those charged with governance in a timely manner in accordance with the
    requirements in other relevant AU-C sections.
  • The auditor
    is required to discuss with management prohibited transactions with a party in
    interest of which the auditor has become aware that have not been properly
    reported in the applicable ERISA-required supplemental schedule.
  • The auditor
    should communicate with those charged with governance the auditor’s
    responsibility with respect to Form 5500, procedures performed relating to Form
    5500, and the results of those procedures.

The EBP SAS also addresses what the auditor should do when a
material inconsistency between the draft Form 5500 and the ERISA plan financial
statements is identified or when the auditor becomes aware of a material
misstatement of fact.

For an ERISA Section 103(a)(3)(C) audit, if:

  • The auditor
    has concerns about whether the entity preparing and certifying the investment
    information is a qualified institution, the auditor is required to discuss his
    or her concerns with management. If management does not provide sufficient
    information that supports its determination that the entity preparing and
    certifying the investment information is a qualified institution, then the
    auditor should discuss his or her concerns with those charged with governance
    and determine the implications for the audit.
  • The auditor
    becomes aware that the certified investment information in the financial
    statements and related disclosures is incomplete, inaccurate, or otherwise
    unsatisfactory, the auditor should discuss the matter with management and
    perform additional procedures to determine the appropriate course of action.

The auditor should not issue a written communication stating that
no reportable findings were identified during the audit.

Management Representations

The EBP SAS requires that the auditor obtain certain written management representations in addition to those required by AU-C section 580, as follows:

  • That
    management has provided the auditor with the most current plan instrument for
    the audit period, including all plan amendments.
  • Acknowledgement
    of its responsibility for administering the plan and determining that the
    plan’s transactions that are presented and disclosed in the ERISA plan
    financial statements are in conformity with the plan’s provisions, including
    maintaining sufficient records with respect to each of the participants to
    determine the benefits due or which may become due to such participants.
  • When
    management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement
    that management’s election of the ERISA Section 103(a)(3)(C) audit does not
    affect its responsibility for the financial statements and for determining
    whether:

    • an ERISA Section 103(a)(3)(C) audit is permissible under the
      circumstances
    • the
      investment information is prepared and certified by a qualified institution as
      described in 29 CFR 2520.103-8
    • the
      certification meets the requirements in 29 CFR 2520.103-5, and
    • the
      certified investment information is appropriately measured, presented, and
      disclosed in accordance with the applicable financial reporting framework

Reporting

In addition, the EBP SAS includes new reporting requirements as follows:

When identified prohibited transactions have not
been appropriately reported in the applicable ERISA-required supplemental
schedules, the auditor is required to:

  • Modify
    the opinion on the supplemental schedule, when the effect of the transaction is
    material based on the financial statements as a whole.
  • Include
    additional discussion in the other-matter paragraph in the auditor’s report on
    the supplemental schedules describing the prohibited transaction if the effect
    of the prohibited transaction is not material to the financial statements.
  • If the
    prohibited party-in-interest transaction is material and is also considered a
    related party transaction, and that transaction is not properly disclosed in
    the notes to the plan financial statements, modify the auditor’s opinion on the
    financial statements due to a departure from the applicable financial reporting
    framework.

If you have any questions on how this new standard may affect your
benefit plan audit, please do not hesitate to contact us.